Screen OS

Hi there, I seem to have a problem with DNS host lookup on a SSG-550 running 6.3.0r6.0. when a PPPoE connection is active.

I’m routing traffic out an ethernet interface to an ADSL modem using sourced based routing.

The ADSL modem is in bridge mode, using PPPoE for authentication.

I’ve set up a dedicated Ethernet interface for the modem, a dedicated zone and assigned the zone to a dedicated virtual router. No other interfaces are assigned to the zone, and no other zones are assigned to that virtual router.

I needed to use a dedicated virtual router for security, the existing un-trust cirtual router is doing other things.The default route on the ADSL link has to be learned automatically with PPPoE as the ISP assigns a different one each time i connect. I can then send any traffic I want to go out the ADSL line by sending it to the appropriate virtual router using source based routing.

The PPPoE and source based routing all appears to be working fine.

However I notice DNS lookup on the SSG is unreliable whenever the PPPoE connection is active. DNS lookup is configured so the SSG can resolve hostnames to internal DNS via a specific source interface.

My question is how can PPPoE possibly affect DNS host lookups? Are there any verbose debugging commands for DNS host lookup, the only ones i have found don't give any more information than the event logs show.

When the DNS lookup problems occur, logs show "Connection refused by the DNS server." errors.

If i disable the PPPoE and associated ethernet interfaces DNS lookups start working again.

When the PPPoE interface is up, the SSG can ping the DNS servers no problem.

Many thanks for your help,

Mark.

Hi Mark,

Are you learning DNS server IP from PPPoE connection?

If a DNS server is learnt from PPPoE, it by default becomes the preferred DNS server and will be used for DNS lookup by the firewall.
To change this behavior you can use the following command:
set pppoe name <profile-name> name-server admin-preference <0-255>
OR
set pppoe name-server admin-preference <0-255>

A higher value of admin-preference will be selected for DNS lookup.

If you dont want pppoe DNS servers to take preference, you can try to put the preference at something like 10 for PPPoE and then check the behavior.

Hope this helps.

Regards.

Hardeep

If this update is helpful, you may mark it as accepted solution for others to benefit from it.

Hi Hardeep, many thanks for the reply i wasn't aware of that behaviour.

Yes i am being sent DNS servers via PPPoE by the ISP.

"get dns host server-list" shows that the SSG is adding the PPPoE learned DNS servers to the list

I had a look around and if i do a "get pppoe name <profilename> configuration" it shows the admin preference is set to 100, this must be the default.

session ID: 4125, connected for 978 minutes idle for 3 minutes
netmask: 255.255.255.255, default route metric 1
auto connect: 5 seconds
random reconnect: 0 seconds (OFF)
clear ip on disconnect: ON, update dhcp server: OFF, admin preference 100
Update Local DNS: ON
Use static IP: OFF

Is there any way to turn "Update Local DNS:" to off?

Many thanks,

Mark.

I cant think of a way to turn it off.
There are no CLI commands and also no option in WebUI.
I think if you tweak the admin preference it will help to give better priority to the local DNS configured on firewall.

Regards.

Hardeep

If this update is helpful, you may mark it as accepted solution for others to benefit from it.

I'm wondering if this will work....

"get dns host server-list" should show the admin pref for the DNS servers.

There is an option to modify the server admin pref while configuring the dns server, i.e. --

     "set dns host dns3 192.168.1.33 admin-preference 1"

Perhaps this will force the firewall to always ignore the DNS servers learned via pppoe.

Regards,

Sam

Hi Sam,

Yes this may help.
I think the higher preference will be prefered.
As pppoe is at 100, setting the static dns entry to more than 100 should get more priority.
Lets see if Mark can try this. 🙂

Regards.
Hardeep

Thanks guys,  i had a look at the host server list and they were all set to a preference of 100. That must be the default for any configured DNS server.

SSG550(M)-> get dns host server-list
id   prot       pref src-interface   ip
--------------------------------------------------------------------------------
  64 pppoe4      100 NULL
   |-->                              x.x.x.x ISP
  65 pppoe4      100 NULL
   |-->                              x.x.x.x ISP
  38 cli         100 ethernet0/0
   |-->                              x.x.x.x Internal
  40 cli         100 ethernet0/0
   |-->                              x.x.x.x Internal
  42 cli         100 NULL
   |-->                              0.0.0.0
-------------------------------------------------------------------------------- 

That explains why i was getting such random problems, sometimes resolution would work, sometimes it would fail. As they all had the same priority it must have been issuing requests using some sort of internal logic.

I've changed the preference on the PPPoE connections to a preference of 255 and everything looks fine so far.

Now that's sorted i've got another problem with source based routing, but i'll re-check what i've done first before posting.

Many thanks,

Mark.

Sorry i made a mistake!

It seems that the higher the value the higher the preference. I was expecting it to work like a routing metric, i.e. lower the value the higher the preference.

SSG550(M)-> get dns host server-list
id   prot       pref src-interface   ip
--------------------------------------------------------------------------------
  38 cli         100 ethernet0/0
   |-->                              x.x.x.x Internal
  40 cli         100 ethernet0/0
   |-->                              x.x.x.x Internal
  42 cli         100 NULL
   |-->                              0.0.0.0
  66 pppoe4       50 NULL
   |-->                              x.x.x.x ISP
   |-->                              x.x.x.x ISP
  68 pppoe4       50 NULL
   |-->                              x.x.x.x ISP
   |-->                              x.x.x.x ISP
--------------------------------------------------------------------------------
SSG550(M)->  

With the PPPoE preference set to 255 traffic was still being sent to the PPPoE DNS first - verifed this with a debug. I changed it to 50 and no more traffic in the debug going to the ISP's DNS, the internal servers are definitley being hit first. Verified this with wireshark.

Thanks,

Mark.